Hi David, pgAdmin4 does not use log4j.
On Thu, Dec 16, 2021 at 4:13 PM IT-Security BCM (OEGK-14) < it-secur...@oegk.at> wrote: > Dear Toshniwal, > > > > as you probably are aware, the java-logging-framework log4j is subject to > a rce vulnerability. Therefor I would like to inquire if pgadmin 4 is using > the log4j library. > > > > Kind regards, > > David Glaser > > > > [image: Logo_Mailsignatur] > > *David Glaser, BSc* > Informationstechnologie > > Business Continuity Management > > > Gruberstraße 77 > > 4021 Linz > > Tel. +43 5 0766-14102753 > > Mobil +43 664 811 5979 > *david.gla...@oegk.at <david.gla...@oegk.at>* > *www.gesundheitskasse.at* > <https://www.gesundheitskasse.at/cdscontent/?contentid=10007.813892&portal=oegkportal> > > > > Informationen nach Art. 13 und 14 Datenschutz-Grundverordnung betreffend > die Verarbeitung Ihrer personenbezogenen Daten finden Sie auf unserer > Website unter www.gesundheitskasse.at/datenschutz. > > > > -----Ursprüngliche Nachricht----- > Von: Stefan Kaltenbrunner <ste...@kaltenbrunner.cc> > Gesendet: Donnerstag, 16. Dezember 2021 10:45 > An: IT-Security BCM (OEGK-14) <it-secur...@oegk.at>; > secur...@postgresql.org > Betreff: Re: Inquiry about log4j > > > > Hi David! > > > > First: This email address is for reporting security vulnerabilities for > PostgreSQL per https://www.postgresql.org/support/security/. > > However given the widespread impact of CVE-2021-44228 we can certainly > tell you that PostgreSQL itself is not vulnerable to this CVE due to being > primarily written in C. > > > > For the two other projects you mentioned you should contact the relevant > authors or developers individually to get a definitive answer: > > > > https://www.postgresql.org/list/pgsql-odbc/ might be a good place for > pgsql-odbc and https://www.pgadmin.org/support/ for pgadmin 4 > > > > However given the fact that pgsql-odbc is also written in C and pgadmin > > 4 is python I would not expect any log4j dependencies there. > > > > > > > > > > regards > > > > Stefan > > > > > > > > > > > > > > On 16.12.21 09:00, IT-Security BCM (OEGK-14) wrote: > > > Dear Sirs and Madams, > > > > > > as you probably are aware, the java-logging-framework log4j is subject > > > to a rce vulnerability (CVE-2021-45046 > > > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>). > > > > > > I would like to inquire if either postgresql, pgadmin or the psqlodbc > > > driver are using the log4j framework and vulnerable to the exploit. If > > > they are, information regarding: > > > > > > -the used version of the framework > > > > > > -mitigations or patches (if not, when can availability of those be > expected) > > > > > > would be very helpful. > > > > > > Kind regards, > > > > > > David Glaser > > > > > > Logo_Mailsignatur > > > > > > *David Glaser, BSc* > > > Informationstechnologie > > > > > > Business Continuity Management > > > > > > > > > Gruberstraße 77 > > > > > > 4021 Linz > > > > > > Tel. +43 5 0766-14102753 > > > > > > Mobil +43 664 811 5979 > > > *david.gla...@oegk.at <mailto:david.gla...@oegk.at > <david.gla...@oegk.at>>* > > > *www.gesundheitskasse.at* > > > < > https://www.gesundheitskasse.at/cdscontent/?contentid=10007.813892&portal=oegkportal > > > > > > > > Informationen nach Art. 13 und 14 Datenschutz-Grundverordnung betreffend > > > die Verarbeitung Ihrer personenbezogenen Daten finden Sie auf unserer > > > Website unter www.gesundheitskasse.at/datenschutz > > > <http://www.gesundheitskasse.at/datenschutz>. > > > > > > -- Thanks, Aditya Toshniwal pgAdmin Hacker | Software Architect | *edbpostgres.com* <http://edbpostgres.com> "Don't Complain about Heat, Plant a TREE"
